Basic firewall in Linux is iptables. But the command iptables is complex, and for many users it is difficult to remember all the options and cases in which they should be used. Therefore, the distributions developers create their add-on to iptables that help to simplify management of the firewall. Have CentOS the add-in to manage iptables is called Firewalld.
From the Daemon there are several important differences, compared to iptables. Here, the network access is performed at the level of zones and services, not chains and rules. And the rules are updated dynamically, without interrupting sessions. In this article we will consider the Firewall configuration on CentOS 7 Firewalld example.
The basics of using Firewalld
As I said above, the Daemon is running with the chain rules, and with areas. Each network interface can be assigned to a certain area. A zone is a set of rules, constraints, and permissions that apply to that network interface. One interface can be selected only one area. The developers have created several pre-defined zones:
- drop – block all incoming packets and allow only outgoing
- block – unlike the previous option, the sender of the packet will be sent to block his package.
- public – supports incoming connections only to ssh and dhclient;
- external – supports NAT to hide the internal network;
- internal – enabled services, ssh, samba, dhcp and mdns;
- dmz – used for isolated serverov who have no access to the network. Only allow connecting via SSH;
- work – allowed the ssh and dhcp services;
- home – same as internal;
- trusted – all allowed.
Thus, to allow or deny a service, you need to add or remove it from the current zone or to change the interface area of the one where he is allowed. You can draw an analogy with the policy of the default actions for packets in iptables. The trusted zone has the ACCEPT policy, and allows the connection area block has a DENY policy that denies all connections, and all other areas can be considered the heirs of the zone block, plus they have predefined rules for resolving network connectivity for some services.
Also on the Firewall there are two kinds of configuration:
- runtime – valid only until you reboot, all changes, which is clearly not stated otherwise, apply to this configuration;
- permanent – permanent settings that will work after a reboot.
Now you know everything you need, so let’s get to the utility on the firewall-cmd.
The syntax and options of firewall-cmd
Manage the settings of the Daemon with the helpful console utility firewall-cmd, and in the graphical interface. CentOS is most often used on servers, so you will have to work in the terminal. Let’s look at the syntax of the utility:
To manage areas of this syntax:
firewall-cmd –configuration –zone=zone option
As the configuration you need to specify the option –permanent, to save the changes after reboot or anything not specified, then the changes will be valid only until you reboot. As a zone, use the name of the zone. Let’s look at options utility:
- –state – show the state of the firewall;
- –reload – reload the rules from the permanent configuration;
- the –complete-reload – hard reboot of the rules to break all connections;
- –runtime-to-permanent – move runtime configuration in the permanent configuration;
- –permanent is to use a standing configuration;
- –get-default-zone to display the zone that is used by default.
- –set-default-zone – to set the default zone;
- –get-active-zones – display of the active zone;
- –get-zones show all the available zones;
- –get-services – display the predefined services;
- –list-all-zones – displays the configuration of all the zones;
- –new-zone – to create a new zone;
- –delete-zone – delete zone;
- –list-all – print everything added, from the selected zone;
- –list-services – display all services that have been added to the area;
- –add-service – add the service to the area;
- –remove-service to uninstall the service from the area;
- –list-ports to display ports that are added to the area;
- –add-port – add the port to the zone;
- –remove-port to remove the port from the zone;
- –query-port to show that you have added the port to the zone;
- –list-protocols – display the protocols that have been added to the area;
- –add-protocol – add the Protocol to the area;
- –remove-protocol to remove a Protocol from the area;
- –list-source-ports – display ports source added to the area;
- –add-source-port – add source port to the zone;
- –remove-source-port to remove source port from the zone;
- –list-icmp-blocks – show a list of locks icmp;
- –add-icmp-block – add blocking icmp;
- –add-icmp-block – remove blocking icmp;
- –add-forward-port – add the port redirection in NAT;
- –remove-forward-port – delete port redirection in NAT;
- –add-masquerade to enable NAT;
- –remove-masquerade – delete NAT.
It’s not all keytool options, but for this article we will enough of them.
The Firewall in CentOS 7
1. The status of the firewall
The first thing you need to see the firewall status. To do this, run:
sudo systemctl status firewalld
If the Firewalld service is disabled, you must enable it:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Now we need to see whether it is running, the Daemon, using the command firewall-cmd:
sudo firewall-cmd --state
If the program is running and all is well, you get the message “running”.
2. Management zones
As you know, zone is the primary tool for managing network connections. To view the default zone, follow these:
sudo firewall-cmd --get-default-zone
In my case it is area public. You can change the current zone with the option –set-default-zone:
sudo firewall-cmd --set-default-zone=public
To view which zones are used for all the network interfaces, run:
sudo firewall-cmd --get-active-zones
In the list will display the zone and the interfaces on which they are assigned. This team can view the configuration for a specific zone. For example, the zone public:
sudo firewall-cmd --zone=public --list-all
3. Configuration of services
You can watch all the predefined services team:
sudo firewall-cmd --get-services
This command will display all services available, you can add any of them to the area to allow. For example, allowing connection to http:
sudo firewall-cmd --zone=public --add-service=http --permanent
And to remove the service, run:
sudo firewall-cmd --zone=public --remove-service=http --permanent
In both cases, we used the option –permanent, so configuration is preserved after reboot. After changes you need to update the rules:
sudo firewall-cmd --reload
Then, if you look at the configuration of the zone, there will be added service:
sudo firewall-cmd --zone=public --list-all
4. How to open port in Firewalld
If a program no service, you can open a port manually. To do this, simply add the desired port to the zone. For example, the port 8083:
sudo firewall-cmd --zone=public --add-port=8083/tcp --permanent
To remove this port from the zone, run:
sudo firewall-cmd --zone=public --remove-port=8083/tcp --permanent
Similarly, services to open the port in firewall centos 7 need to restart the firewall.
sudo firewall-cmd --reload
5. Port forwarding on the Firewall
Probars ports in Firewalld is configured much simpler than iptables. If you need to, for example, to redirect traffic from port 2223 on port 22, it is sufficient to add to the zone redirection:
sudo firewall-cmd --zone=public --add-forward-port=port=2223:proto=tcp:toport=22
Here the redirection is performed only on the current machine. If you want to configure the network NAT and port forwarding to another machine, you will first need to enable masquerading:
sudo firewall-cmd --zone=public --add-masquerade
Then you can add the port:
sudo firewall-cmd --zone=publiс --add-forward-port=port=2223:proto=tcp:toport=22:toaddr=192.168.56.4
6. Advanced rules
If the function of spaces is not enough for you, you can use the advanced rules. The General syntax of extended rules like this:
rule family=”samatva” source destination log audit action
Here the value of basic parameters:
- As a family of protocols you can specify ipv4 or ipv6, or anything not specified, then the rule will apply to both protocols;
- source and destination is the sender and the receiver of the package. As these parameters can be used IP address (address), service (service name), port (port), Protocol (protocol) and so on;
- log – allows you to log the passage of packets, such as to syslog. In this setting you can specify the prefix line of the log and the verbosity of logging;
- audit is an alternative method of logging when messages are sent to the service auditd.
- Action is the action to be performed on the matched packet. Available: accept, drop, reject, mark.
Let’s look at some examples. We need to block access to the server for user with IP 18.104.22.168:
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=22.214.171.124 reject'
Or we should ban this user only access to port 22:
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=126.96.36.199 port port=22 protocol=tcp reject'
To view all advanced rules with the command:
sudo firewall-cmd --list-rich-rules
In this article we discussed how you configure the firewall in CentOS 7 and what tasks to perform. The program is much easier to use than iptables, but in my opinion the add-in firewall for Ubuntu is ufw even easier to use.